Tectonic Identity Configuration

Tectonic Identity is an authentication service for both Tectonic Console and kubectl, and allows these components to talk to the Kubernetes API server on an end user's behalf. All Tectonic clusters also enable Role-Based Access Control (RBAC) which uses the user information produced by Identity to enforce permissions.

Tectonic Identity is configured through a YAML ConfigMap, which provides for the configuration of static users. Static users are not tied to any authentication provider, and may be used to set up or troubleshoot your Tectonic installation.

This document provides an overview of the Tectonic Identity ConfigMap, and describes how to create a Static User.

Identity Configuration

Tectonic Identity pulls its configuration options from a config file stored in a ConfigMap, which admins can view and edit using kubectl. As a precaution in case of misconfiguration, use the administrative kubeconfig in the downloaded assets.zip when editing Identity's config.

Identity's deployment is intended to be resilient against invalid config files. Verify the new state to confirm the update, and restore the ConfigMap backup if problems are encountered.

The update's success can be inspected by watching the pods in the tectonic-system namespace.

kubectl get pods --namespace=tectonic-system

Add a static user

Static users are those defined directly in the Tectonic Identity ConfigMap. Static users are intended to be used for initial setup, and may also be used for troubleshooting and recovery. A static user acts as a stand-in, authenticating users without a connection to a backend identity provider.

To add a static user, update the Tectonic Identity ConfigMap with a new staticPasswords entry.

staticPasswords:# The following fields are required.-email:"test1@example.com"# bcrypt hash for string "password"hash:"$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"username:"test1"# username to display. NOT used during login.# userID randomly generated using uuidgen.userID:"1d55c7c4-a76d-4d74-a257-31170f2c4845"

Apply ConfigMap changes, then bring up the Tectonic Identity Pod with the changes to enable users to log in to Tectonic Console using the password.

A bcrypt encoded hash of the user's password can be generated using the coreos/bcrypt-tool. When generating Tectonic Console passwords with bcrypt-tool, using values higher than the default of -cost=10 may result in timeouts. bcrypt also imposes a maximum password length of 56 bytes.

To ensure the user has been added successfully, log in to Tectonic Console using the static user's username and password.

Change password for static user

To change the password of an existing user, generate a bcrypt hash for the new password (using coreos/bcrypt-tool) and add this value to the Tectonic Identity ConfigMap for the selected user.